With SilverStripe the file permissions for a few files and directories need to be writeable by the webserver. From 2.0.1 to 2.0.2 we've taken on board feedback to make the permissions alot less freaky than before. Something to reiterate is that the "open" file permissions have always related to the install process... there's never been a need for SilverStripe, once installed, to have write-permissions set other than for the assets folder (see below)
What is the best practice for us to use in setting permissions inside the .tar.gz file? Should it be rw-rw-rw, for instance?
To clarify the files are;
1) .htaccess, which gets written to once, then can be secured to readonly.
2) /mysite/ and /tutorial/ which does not require files inside to be opened up. Instead, these directories need write permission so that a file inside, _config.php, can be created. Once installed, you can make this file readonly.
3) /assets/ which is to be permanently kept web-writeable as this is where all uploads via the CMS are stored
What if were to store them as rw-rw-rw- in the tar.gz, then the installer itself would automatically make;
a) .htaccess readonly r--r--r--
b) the folders r-xr-x-r-x (the 'x' is needed to allow browsing, right?) Or is this superfluous?
c) Do we need the world-read bit set? Or is r--r----- fine.
I'm talking about what will work best in terms of most people out of the box, especially for people who are unclear or unfamilar with file permissions, etc. We want people to have a great out-of-the-box experience, rather than the first step being messing with file permissions.
This suggests thinking both about those managing their own servers as well as those installing silverstripe on random webfarm hosts...